Snort mailing list archives
Re: High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY
From: wkitty42 () windstream net
Date: Sat, 7 Oct 2017 13:29:25 -0400
On 10/05/2017 07:29 AM, Besal Mon wrote:
Hi,I was going through on of your reply from Snort mail list below - http://seclists.org/snort/2014/q3/453
wow... that's really old...
I was hoping if you can advice the below is also because of directory string is longer than the max configured ?
i will do this this once in private... the NOTE at the end of my post(s) still applies so this reply is also CC'd to the snort list...
*[119:15:2] http_inspect: OVERSIZE REQUEST-URI DIRECTORY [Impact: Potentially Vulnerable] From "WKSE0XX1IPS02" at Thu Oct 5 09:06:23 2017 UTC [Classification: Potentially Bad Traffic] [Priority: 2] {tcp} 109.156.91.119:56865 (united kingdom)->62.7.228.234:80 (united kingdom)*Can you please advice how we can increase the URI lengths.
in your snort.conf, look for the "preprocessor http_inspect" section... then look for the "oversize_dir_length" setting and adjust the number larger or smaller as desired... you should read the README.http_inspect file, as well... probably the other README.* files, too ;)
do NOT remove the '\' at the end of the line when changing that number, either... that is the "line continuation" indicator and is needed in this format...
you should look at your server logs or your data of the outgoing requests to see what's causing those long URLs... we find a lot of them are for ads... some URLs may indicate inbound infiltration or outbound exfiltration attempts... while you are looking at the data, you can also determine a decent path length size for the number above...
*Re: High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY* -------------------------------------------------------------------------------- /From/: waldo kitty <wkitty42 () windstream net> /Date/: Mon, 28 Jul 2014 23:04:44 -0400 -------------------------------------------------------------------------------- On 7/28/2014 11:23 AM, Rowell Dionicio wrote: I’m getting a lot of false positives on: http_inspect: OVERSIZE REQUEST-URI DIRECTORYI know it’s a preprocessor analyzing http traffic where the directory string islonger than the max configured but almost all that I have seen are legitimate web traffic.this is where tuning comes into play... you have to tune snort for yournetwork's traffic... it seems to me that URI lengths have gotten quite long in recent years with all the ads and other shite flowing around the net... i set my URL lengths to at least 750 characters several years back... i may have also suppressed this alert for external sites and kept it active for my hosted servers...Does this mean most of the web traffic is just pushing lots of characters intothe directory stringyes... making this inspection mostly useless? the default? yes... but this is why tuning snort (or any other IDS/IPS) ismandatory... there is no such thing as a one-size-fits-all installation with these things ;)It seems that creating an alert that looks for something, a vulnerability,within the content using pcre would make more sense.that's another aspect and what rules developers do... however, being able todetect basic problems like this can also lead one to locating infestations...Do most of you suppress these alerts or increase the directory length? increase the setting so that it fits your hosted servers... if you have nohosted servers, then yes, you might want to suppress the alert...HTH ;) --NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted.
-- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: High Amount of http_inspect: OVERSIZE REQUEST-URI DIRECTORY wkitty42 (Oct 07)